DEV Community: Deepsan Bhandari The latest articles on DEV Community by Deepsan Bhandari (@deepsan_bhandari). https://dev.to/deepsan_bhandari https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3796184%2F0e7c0a0a-96f0-4e62-afeb-db9133ae133c.jpeg DEV Community: Deepsan Bhandari https://dev.to/deepsan_bhandari en How I Built a 3-Tier Approval Engine with Spring Boot and Spring Security Deepsan Bhandari Sat, 25 Apr 2026 07:40:19 +0000 https://dev.to/deepsan_bhandari/how-i-built-a-3-tier-approval-engine-with-spring-boot-and-spring-security-4ke9 https://dev.to/deepsan_bhandari/how-i-built-a-3-tier-approval-engine-with-spring-boot-and-spring-security-4ke9 <p><em>A deep-dive into multi-level workflow logic, stateless JWT auth, service-layer authorization guards, and a full CI/CD pipeline — all in production.</em></p> <h2> Why I Built This </h2> <p>Most backend tutorials teach you CRUD. Register, login, get a list of items. That's fine — but it doesn't prepare you for the kind of systems real companies actually run.</p> <p>Almost every organization has some version of an approval workflow: an employee submits a leave request, a manager reviews it, a department head gives final sign-off. When this lives in emails and spreadsheets, things get lost, audits become impossible, and privilege abuse goes undetected.</p> <p>I wanted to build a system that solves this properly — with real state machine logic, enforced role boundaries, a full audit trail, and the kind of security architecture you'd find in a production backend. This is what I built, and here's exactly how it works.</p> <p><strong>Live Swagger UI:</strong> <a href="https://workflow-approval-system-zq0a.onrender.com/swagger-ui.html" rel="noopener noreferrer">https://workflow-approval-system-zq0a.onrender.com/swagger-ui.html</a><br><br> <strong>GitHub:</strong> <a href="https://github.com/DeepsanBhandari/workflow-approval-system" rel="noopener noreferrer">https://github.com/DeepsanBhandari/workflow-approval-system</a></p> <h2> The Core Problem: State Machines Are Harder Than CRUD </h2> <p>The fundamental challenge in an approval workflow isn't the endpoints — it's <strong>state integrity</strong>. A workflow request has states:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>DRAFT → PENDING_MANAGER → PENDING_ADMIN → APPROVED ↘ ↘ REJECTED REJECTED ↘ CHANGES_REQUESTED </code></pre> </div> <p>Every transition has rules:</p> <ul> <li>Only an <code>EMPLOYEE</code> can submit a <code>DRAFT</code> </li> <li>Only a <code>MANAGER</code> can act on <code>PENDING_MANAGER</code> </li> <li>Only an <code>ADMIN</code> can act on <code>PENDING_ADMIN</code> </li> <li>You cannot skip levels</li> <li>You cannot act on a completed workflow</li> </ul> <p>If you don't enforce these at the <strong>service layer</strong>, your API will have holes regardless of how good your controller-level checks are.</p> <h2> Architecture: Layered + DTO-First </h2> <p>The system follows strict layered architecture:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Controller Layer → receives HTTP requests, delegates immediately Service Layer → owns ALL business logic and authorization guards Repository Layer → pure data access, no business logic </code></pre> </div> <p>This is not just clean code philosophy — it has a concrete security benefit. If you put authorization logic in controllers, it's easy to bypass with direct service calls in tests or internal integrations. <strong>Authorization at the service layer is always enforced</strong>, regardless of how the service is invoked.</p> <p>Every API contract is typed through DTOs — <code>WorkflowResponse</code>, <code>ApprovalStepResponse</code>, <code>ApiResponseVoid</code>. No entity ever leaks to the outside world. This enforces zero data leakage across roles by design.</p> <h2> Security: JWT with a Custom Filter Chain </h2> <p>I implemented stateless JWT authentication using a custom Spring Security filter. Here's the architectural decision that matters:</p> <p><strong>Token validation happens at the perimeter. Business logic is fully decoupled from auth concerns.</strong></p> <p>The custom <code>JwtAuthenticationFilter</code> extends <code>OncePerRequestFilter</code>. It:</p> <ol> <li>Extracts the <code>Authorization: Bearer &lt;token&gt;</code> header</li> <li>Validates the token signature using the secret key</li> <li>Loads <code>UserDetails</code> and sets <code>SecurityContextHolder</code> </li> <li>Passes to the next filter in the chain </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// Conceptual flow inside the filter</span> <span class="nc">String</span> <span class="n">token</span> <span class="o">=</span> <span class="n">extractToken</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">token</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="n">jwtService</span><span class="o">.</span><span class="na">isTokenValid</span><span class="o">(</span><span class="n">token</span><span class="o">))</span> <span class="o">{</span> <span class="nc">UserDetails</span> <span class="n">userDetails</span> <span class="o">=</span> <span class="n">userDetailsService</span><span class="o">.</span><span class="na">loadUserByUsername</span><span class="o">(</span> <span class="n">jwtService</span><span class="o">.</span><span class="na">extractUsername</span><span class="o">(</span><span class="n">token</span><span class="o">)</span> <span class="o">);</span> <span class="nc">UsernamePasswordAuthenticationToken</span> <span class="n">authToken</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">UsernamePasswordAuthenticationToken</span><span class="o">(</span> <span class="n">userDetails</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="n">userDetails</span><span class="o">.</span><span class="na">getAuthorities</span><span class="o">()</span> <span class="o">);</span> <span class="nc">SecurityContextHolder</span><span class="o">.</span><span class="na">getContext</span><span class="o">().</span><span class="na">setAuthentication</span><span class="o">(</span><span class="n">authToken</span><span class="o">);</span> <span class="o">}</span> <span class="n">filterChain</span><span class="o">.</span><span class="na">doFilter</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">);</span> </code></pre> </div> <p>Why stateless? Because stateless JWT means <strong>no session storage on the server</strong>. The system can scale horizontally without sticky sessions. Each request is self-contained — the token carries the identity claim.</p> <p>Passwords are hashed using <code>BCryptPasswordEncoder</code>. Never stored in plaintext, never logged.</p> <h2> The Service-Layer Authorization Guard (The Key Insight) </h2> <p>This is the most important architectural decision in the whole system.</p> <p>Here's the problem with controller-level role checks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// ❌ Fragile — only enforced at the HTTP boundary</span> <span class="nd">@PreAuthorize</span><span class="o">(</span><span class="s">"hasRole('MANAGER')"</span><span class="o">)</span> <span class="nd">@PostMapping</span><span class="o">(</span><span class="s">"/{id}/approve"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">ResponseEntity</span><span class="o">&lt;?&gt;</span> <span class="n">approve</span><span class="o">(</span><span class="nd">@PathVariable</span> <span class="nc">Long</span> <span class="n">id</span><span class="o">)</span> <span class="o">{</span> <span class="n">workflowService</span><span class="o">.</span><span class="na">approve</span><span class="o">(</span><span class="n">id</span><span class="o">);</span> <span class="c1">// No guard inside</span> <span class="o">}</span> </code></pre> </div> <p>If <code>workflowService.approve()</code> is ever called internally — from a scheduler, a test, another service — the role check is bypassed.</p> <p>Here's the approach I used instead:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// ✅ Enforced regardless of caller</span> <span class="kd">public</span> <span class="nc">WorkflowResponse</span> <span class="nf">approve</span><span class="o">(</span><span class="nc">Long</span> <span class="n">workflowId</span><span class="o">,</span> <span class="nc">String</span> <span class="n">approverUsername</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Workflow</span> <span class="n">workflow</span> <span class="o">=</span> <span class="n">workflowRepository</span><span class="o">.</span><span class="na">findById</span><span class="o">(</span><span class="n">workflowId</span><span class="o">)</span> <span class="o">.</span><span class="na">orElseThrow</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="k">new</span> <span class="nc">WorkflowNotFoundException</span><span class="o">(</span><span class="n">workflowId</span><span class="o">));</span> <span class="nc">User</span> <span class="n">approver</span> <span class="o">=</span> <span class="n">userRepository</span><span class="o">.</span><span class="na">findByUsername</span><span class="o">(</span><span class="n">approverUsername</span><span class="o">)</span> <span class="o">.</span><span class="na">orElseThrow</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="k">new</span> <span class="nc">UserNotFoundException</span><span class="o">(</span><span class="n">approverUsername</span><span class="o">));</span> <span class="c1">// Guard: is this approver allowed to act on this workflow state?</span> <span class="n">validateApproverCanAct</span><span class="o">(</span><span class="n">workflow</span><span class="o">.</span><span class="na">getStatus</span><span class="o">(),</span> <span class="n">approver</span><span class="o">.</span><span class="na">getRole</span><span class="o">());</span> <span class="c1">// Guard: is the workflow in an actionable state at all?</span> <span class="n">validateWorkflowIsActionable</span><span class="o">(</span><span class="n">workflow</span><span class="o">.</span><span class="na">getStatus</span><span class="o">());</span> <span class="c1">// ... proceed with state transition</span> <span class="o">}</span> </code></pre> </div> <p><code>validateApproverCanAct</code> throws <code>UnauthorizedActionException</code> if a Manager tries to act on <code>PENDING_ADMIN</code> or vice versa. This isn't a Spring Security concern — it's <strong>business rule authorization</strong>, and it lives exactly where it should: in the service.</p> <h2> The State Transition Engine </h2> <p>The approval steps are sequential, not parallel. Each transition is explicit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="kt">void</span> <span class="nf">validateAndTransition</span><span class="o">(</span><span class="nc">Workflow</span> <span class="n">workflow</span><span class="o">,</span> <span class="nc">ApprovalAction</span> <span class="n">action</span><span class="o">,</span> <span class="nc">User</span> <span class="n">actor</span><span class="o">)</span> <span class="o">{</span> <span class="nc">WorkflowStatus</span> <span class="n">current</span> <span class="o">=</span> <span class="n">workflow</span><span class="o">.</span><span class="na">getStatus</span><span class="o">();</span> <span class="k">switch</span> <span class="o">(</span><span class="n">current</span><span class="o">)</span> <span class="o">{</span> <span class="k">case</span> <span class="nl">PENDING_MANAGER:</span> <span class="n">requireRole</span><span class="o">(</span><span class="n">actor</span><span class="o">,</span> <span class="nc">Role</span><span class="o">.</span><span class="na">MANAGER</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">action</span> <span class="o">==</span> <span class="nc">ApprovalAction</span><span class="o">.</span><span class="na">APPROVE</span><span class="o">)</span> <span class="o">{</span> <span class="n">workflow</span><span class="o">.</span><span class="na">setStatus</span><span class="o">(</span><span class="nc">WorkflowStatus</span><span class="o">.</span><span class="na">PENDING_ADMIN</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span> <span class="k">if</span> <span class="o">(</span><span class="n">action</span> <span class="o">==</span> <span class="nc">ApprovalAction</span><span class="o">.</span><span class="na">REJECT</span><span class="o">)</span> <span class="o">{</span> <span class="n">workflow</span><span class="o">.</span><span class="na">setStatus</span><span class="o">(</span><span class="nc">WorkflowStatus</span><span class="o">.</span><span class="na">REJECTED</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">workflow</span><span class="o">.</span><span class="na">setStatus</span><span class="o">(</span><span class="nc">WorkflowStatus</span><span class="o">.</span><span class="na">CHANGES_REQUESTED</span><span class="o">);</span> <span class="o">}</span> <span class="k">break</span><span class="o">;</span> <span class="k">case</span> <span class="nl">PENDING_ADMIN:</span> <span class="n">requireRole</span><span class="o">(</span><span class="n">actor</span><span class="o">,</span> <span class="nc">Role</span><span class="o">.</span><span class="na">ADMIN</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">action</span> <span class="o">==</span> <span class="nc">ApprovalAction</span><span class="o">.</span><span class="na">APPROVE</span><span class="o">)</span> <span class="o">{</span> <span class="n">workflow</span><span class="o">.</span><span class="na">setStatus</span><span class="o">(</span><span class="nc">WorkflowStatus</span><span class="o">.</span><span class="na">APPROVED</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">workflow</span><span class="o">.</span><span class="na">setStatus</span><span class="o">(</span><span class="nc">WorkflowStatus</span><span class="o">.</span><span class="na">REJECTED</span><span class="o">);</span> <span class="o">}</span> <span class="k">break</span><span class="o">;</span> <span class="k">default</span><span class="o">:</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">InvalidWorkflowStateException</span><span class="o">(</span><span class="n">current</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>No state can be skipped. No actor can act outside their level. Invalid transitions throw typed exceptions caught by the global exception handler.</p> <h2> Audit Trail: Every Action is Recorded </h2> <p>Every approval, rejection, or change request is recorded as an <code>ApprovalStep</code> entity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">ApprovalStep</span> <span class="p">{</span> <span class="nx">workflowId</span><span class="p">,</span> <span class="nx">actorUsername</span><span class="p">,</span> <span class="nx">actorRole</span><span class="p">,</span> <span class="nf">action </span><span class="p">(</span><span class="nx">APPROVE</span> <span class="o">/</span> <span class="nx">REJECT</span> <span class="o">/</span> <span class="nx">REQUEST_CHANGES</span><span class="p">),</span> <span class="nx">comment</span><span class="p">,</span> <span class="nx">timestamp</span> <span class="p">}</span> </code></pre> </div> <p><code>GET /api/workflows/{id}/history</code> returns the full ordered history. This is non-negotiable for any real approval system — you need to know who did what and when.</p> <h2> Testing: 80%+ Coverage with JUnit 5 + Mockito </h2> <p>I focused test coverage on the parts that matter most — the service layer where business rules live.</p> <p>Example: testing that a Manager cannot approve an <code>ADMIN</code>-level step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Test</span> <span class="kt">void</span> <span class="nf">managerCannotApproveAdminLevelStep</span><span class="o">()</span> <span class="o">{</span> <span class="nc">Workflow</span> <span class="n">workflow</span> <span class="o">=</span> <span class="n">createWorkflowWithStatus</span><span class="o">(</span><span class="nc">WorkflowStatus</span><span class="o">.</span><span class="na">PENDING_ADMIN</span><span class="o">);</span> <span class="nc">User</span> <span class="n">manager</span> <span class="o">=</span> <span class="n">createUserWithRole</span><span class="o">(</span><span class="nc">Role</span><span class="o">.</span><span class="na">MANAGER</span><span class="o">);</span> <span class="n">assertThrows</span><span class="o">(</span><span class="nc">UnauthorizedActionException</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="o">()</span> <span class="o">-&gt;</span> <span class="n">workflowService</span><span class="o">.</span><span class="na">approve</span><span class="o">(</span><span class="n">workflow</span><span class="o">.</span><span class="na">getId</span><span class="o">(),</span> <span class="n">manager</span><span class="o">.</span><span class="na">getUsername</span><span class="o">())</span> <span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>Testing the happy path is easy. Testing the edge cases — what happens if a Manager tries to jump the queue, what happens if someone tries to act on an already-approved workflow — is where the real coverage comes from.</p> <h2> CI/CD Pipeline: Zero Manual Steps </h2> <p>The GitHub Actions pipeline runs on every push to <code>master</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-deploy</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">mvn test</span> <span class="c1"># Fail fast — catch regressions before merge</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Docker Image</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker build -t workflow-approval-system .</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Push to Registry</span> <span class="na">run</span><span class="pi">:</span> <span class="s">docker push ...</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to Render</span> <span class="c1"># Render auto-deploys from the registry on image push</span> </code></pre> </div> <p>If tests fail, the pipeline stops. Nothing broken ever reaches production. The Dockerfile uses a multi-stage build — compile in one stage, run in a slim JRE image — keeping the final image lean.</p> <h2> What I'd Add Next </h2> <p>Honest reflection on what's missing from a true enterprise system:</p> <ol> <li> <strong>Notifications</strong> — Email/webhook trigger when a workflow reaches your level</li> <li> <strong>Kafka for audit events</strong> — Publish approval events to a message broker instead of synchronous DB writes</li> <li> <strong>Pagination on history endpoints</strong> — Fine for now, but breaks under large audit logs</li> <li> <strong>Refresh token rotation</strong> — Current JWT implementation uses single tokens; production needs refresh + revocation</li> </ol> <h2> Key Takeaways </h2> <p>If you're building your own approval system or similar state-machine backend:</p> <ul> <li> <strong>Put authorization guards in the service layer</strong>, not just controllers</li> <li> <strong>Model state transitions explicitly</strong> — don't rely on if/else chains scattered across the codebase</li> <li><strong>Every action that mutates state should be audited</strong></li> <li> <strong>80%+ test coverage on business logic is achievable and worth it</strong> — not for the metric, but because the tests force you to think about edge cases</li> </ul> <p>The full system is live, fully documented via Swagger, and available on GitHub. If you have questions about any implementation detail, drop a comment — happy to go deeper on any section.</p> <p><em>Deepsan Bhandari is a Java/Spring Boot backend engineer based in Nepal, currently completing a Bachelor of Civil Engineering at IOE Purwanchal Campus while building production backend systems. Open to remote internships and freelance backend work.</em></p> <p><em>GitHub: github.com/DeepsanBhandari | LinkedIn: linkedin.com/in/deepsan-bhandari</em></p> java springboot security backend